Sage Advice - Cybersecurity Blog

MSIL / Samas.A Ransomware Advisory

samas-advisory-12016 has seen widespread use of a new type of ransomware known as MSIL / Samas.A. Attackers are actively scanning the Internet for vulnerable systems, and exploiting systems to gain access to the internal network. One tool being used is JexBoss, this tool discovers and exploits vulnerable JBoss servers.

What is the issue?

Once inside the network, the ransomware queries Active Directory for a list of Windows computers. The ransomware then “pings” the computers to compile a list of active hosts. Public and private encryption keys are generated based upon the hostnames. The private keys are sent to the attacker.

The ransomware and corresponding public key are distributed to all of the active computers on the network. The ransomware launches in a coordinated attack hitting the entire network in a few minutes. Once active, the volume shadow copies of the computers are deleted, and files on the computer are encrypted. Backup related files are specifically sought out for encryption / deletion.

Previous vision of ransomware infected one system which encrypted the files on the network. There was only one key needed to decrypt all of the files. Now every active computer on the network has a unique encryption key. The criminals know how many devices have been infected, and can charge a ransom amount relative to the size of the network. Ransom has increased from $400 - $600 to tens of thousands of dollars.

Should we be concerned?

The FBI has put out an alert seeking help from businesses and security experts for emergency assistance in a ransomware investigation.

What types of systems are vulnerable?

All supported releases of Microsoft Windows operating systems are vulnerable.

For more information:

Recommended actions:

  • Ensure that your operating systems and applications are up-to-date with patches. Malware typically exploits unpatched third party software. MSIL/Samas.A” searches the Internet for vulnerable systems to exploit.
  • If you have systems on the Internet where users enter credentials be sure to encrypt the traffic and require multi-factor authentication.
  • Have a backup process that maintains current backups of all your important data. The backups should be “air-gapped” (isolated form the LAN) or stored on a locked down vLAN. Test the restore process frequently. If you are infected with ransomware being able to restore from backup may be the only thing that saves you from paying the ransom.
  • Review your Incident Response plan and procedures. Practice your response.
  • Have a management discussion regarding payment of ransom (e.g. situations where the organization might pay ransom). If payment is a possibility, consider proactively establishing a Bitcoin account at a Bitcoin Exchange.

Are you prepared?

Being prepared to confidently respond to and investigate cyber-attacks is essential in today's threat environment. We've developed our Cyber Forensics Readiness Program to vie you that confidence. The program prepares Incident Responders and IT personnel to quickly and cost-effectively capture and maintain evidence in a forensically sound manner. The training is supported by semi-annual collection exercises and an on-going relationship with experienced Cyber Forensic Investigators.

Learn more


Topics: Threat Advisories, Ransomware

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More